Rust Security Policy

Reporting a Bug

Safety is one of the core principles of Rust, and to that end, we would
like to ensure that Rust has a secure implementation. Thank you for taking the
time to responsibly disclose any issues you find.

All security bugs in the Rust distribution should be reported by email to
security@rust-lang.org. This list
is delivered to a small security team. Your email will be acknowledged within 24
hours, and you'll receive a more detailed response to your email within 48
hours indicating the next steps in handling your report. If you would like, you
can encrypt your report using our public key.
This key is also On
MIT's keyserver and reproduced below.

This email address receives a large amount of spam, so be sure to use a
descriptive subject line to avoid having your report be missed. After the
initial reply to your report, the security team will endeavor to keep you
informed of the progress being made towards a fix and full announcement. As
recommended by RFPolicy,
these updates will be sent at least every five days. In reality, this is more
likely to be every 24-48 hours.

If you have not received a reply to your email within 48 hours, or have not
heard from the security team for the past five days, there are a few steps you
can take:

Post on the internals forums
or ask in the #rust-internals IRC room on irc.mozilla.org.

Please note that the discussion forums and #rust-internals IRC channel are
public areas. When escalating in these venues, please do not discuss your
issue. Simply say that you're trying to get a hold of someone from the security
team.

Disclosure Policy

The Rust project has a 5 step disclosure process.

The security report is received and is assigned a primary handler. This
person will coordinate the fix and release process.

The problem is confirmed and a list of all affected versions is determined.

Code is audited to find any potential similar problems.

Fixes are prepared for all releases which are still under maintenance.
These fixes are not committed to the public repository but rather held locally
pending the announcement.

On the embargo date, the
Rust security mailing list is sent a copy of the announcement. The changes
are pushed to the public repository and new builds are deployed to
rust-lang.org. Within 6 hours of the mailing list being notified, a copy of
the advisory will be published on the Rust blog.

This process can take some time, especially when coordination is required
with maintainers of other projects. Every effort will be made to handle the bug
in as timely a manner as possible, however it's important that we follow the
release process above to ensure that the disclosure is handled in a consistent
manner.